The Health Information Trust Alliance (HITRUST) recently updated its Common Security Framework to include privacy controls. This means organizations can rely on a single framework to manage privacy, security and compliance. Can you explain the updates to CFA and the benefits or drawbacks of using a single framework?
First, it is important to have a little background on the Health Information Trust Alliance (HITRUST). HITRUST is a nonprofit organization created by healthcare organizations to collaborate on security and privacy issues. It is not a regulatory body, but it assists its member organizations in complying with the many regulations governing healthcare in the United States.
The HITRUST Common Security Framework (CSF) intends to help organizations design a common set of security controls that meet varied regulatory requirements and international standards, including HIPAA, PCI DSS, COBIT, NIST and ISO. The first six versions of the framework provided a normalized mapping of security requirements to a common set of controls, easing the burden on compliance professionals seeking to reconcile various overlapping requirements.
The seventh version of the Common Security Framework, released in January 2015, added privacy controls. These controls cover three objectives:
- Openness and transparency
- Individual choice and participation
Most healthcare organizations must comply with both security and privacy regulations, and the controls for both domains often overlap. Combining these controls into a single framework allows organizations to spend less time reading regulations and focus on delivering security and privacy results.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn how to use compliance automation to reduce compliance risk
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.